Companies not doing enough to protect confidential info

Small business increasingly complacent about safeguards: Survey

06/14/2012|hrreporter.com|Last Updated: 06/14/2012

Many organizations, regardless of size, are not making document security part of their business culture and could be putting themselves and customers at risk, according to a survey released by Shred-it, an information security company.

Large businesses seem more inclined than smaller ones to do their homework and toe the line when protecting their confidential information. For example, 95 per cent of 100 large enterprises surveyed are at least somewhat aware of the legal requirements of storing, keeping or disposing of confidential data in their industry, compared to 76 per cent of 1,001 small businesses surveyed.

Similarly, 93 per cent of large organizations surveyed have an employee directly responsible for managing data security issues, compared to 52 per cent of small businesses, said the 2012 Shred-it Information Security Tracker.

Despite these efforts, 86 per cent of large businesses said they would be more likely to pay greater attention to safeguarding data if the privacy commissioner introduced large fines for organizations that failed to adequately protect their data and data related to customers.

While nearly all (92 per cent) large businesses have a document destruction protocol, only 40 per cent have a system that is strictly adhered to by all employees. Comparatively, 43 per cent of small businesses have a protocol that all employees are aware of, even though only 55 per cent have implemented a document destruction policy, found Shred-it.

“It’s great news that large businesses are educating themselves and taking the steps necessary to protect their business and customer data,” said Mike Skidmore, privacy and security officer at Shred-it. “Yet, with the majority of data breaches occurring internally, information security protocols are only as strong as the employees that are adhering to them. Therefore, it is absolutely crucial that companies of all sizes ensure that any procedures or regulations are well-known and strictly followed.”

Small businesses are also becoming increasingly complacent about the importance of safeguarding confidential records, found Shred-it. In 2011, 38 per cent of small businesses had no protocol for storing and destroying data, compared to 42 per cent this year. And, while 34 per cent of small businesses in 2011 had no employee responsible for managing data security issues, that figure jumped to 47 per cent in 2012.

“In an uncertain and competitive economy, we understand that small businesses need to cut costs to survive,” said Skidmore. “However, by cutting corners and not taking the necessary steps to safeguard their sensitive data, companies are leaving themselves vulnerable to financial ramifications and reputational damage and are putting their customers at risk of scams and theft.”

Nearly two-thirds (61 per cent) of small businesses said they do not believe they would be seriously impacted by a data breach, though 22 per cent have been victim to one. And two-thirds of large organizations have suffered a data breach.

“Relaxed protocols or not having the right resources in place can detract from the culture of security that organizations want to cultivate in order to protect themselves and their clients from fraud,” he said.

To help all businesses safeguard confidential data, Shred-it recommends employers take the following steps:

•Conduct a security audit to determine the level of data security risk at an organization.

•Implement a “shred-all policy” and mandate all unneeded documents be destroyed on a frequent basis.

•Provide employees with a locked console where they can deposit their unneeded documents prior to disposal.

•Hire a reliable third-party professional vendor to help ensure compliance with legal requirements and securely and safely destroy all unneeded documents.

•Ensure electronic records are protected as well. Simply erasing or degaussing a hard drive or photocopier memory does not remove information completely — physically destroying the hardware is the only way to ensure that data is gone forever.